from the you've-got-mail dept

You've all heard of this kind of scam before. Some nefarious person or group gets a hold of someone's email or computer screen, pretends to be someone in some official capacity, and demands a whatever sum of money they can get away with. Some of the time these scammers pretend to be the IRS, or a utility company, or even law enforcement. What these scams tend to mostly have in common is that they go after private citizens en masse, in the hope to entice whatever percentage of the more gullible amongst us to pay up. What you don't expect to hear about is one of the largest corporations in the United States essentially falling for the same thing.

The Scoular Co., an employee-owned commodities trader founded 120 years ago, has been taken for $17.2 million in an international email swindle, according to federal court documents. An executive with the 800-employee company wired the money in installments last summer to a bank in China after receiving emails ordering him to do so, says an FBI statement filed last month in U.S. District Court in Omaha.

Sort of takes your breath away, doesn't it. One would like to think that it takes more for any company to move millions of dollars around internationally than a simple email string. Whatever else, this seems to indicate a complete failure of process, with the lack of checks against fraud and mistakes occurring on stunning levels. In attempts to explain how this happened, Scoular CEO Chuck Elsea wove a tail of compromised identities (including his) and coincidences that caused all of this to happen. The tale, however, leaves the reader certain that there was still some serious stupid going on here.

The gambit involved emails sent to a Scoular executive that purported to be from Elsea and the company’s outside auditing firm. The emails directed the wire transfer of millions of dollars to a Chinese bank. But court documents say the emails were really from impostors using email addresses set up in Germany, France and Israel and computer servers in Moscow. The three wire transfers, the FBI says, happened in June 2014. They were prompted by emails sent to Scoular’s corporate controller, identified in the FBI statement as McMurtry. The emails purported to be from Scoular CEO Elsea, but were sent from an email address that wasn’t his normal company one.

Which is precisely where this scam should have died on its scammy vine, wilting under the dry heat of "haha, the boss got his personal email hacked." The idea that millions of dollars can be ordered transferred from an email address not associated with the company is ludicrous. Die, however, the scam did not.

The first email on June 26 instructed McMurtry to wire $780,000, which the FBI statement says he did. The next day, McMurtry was told to wire $7 million, which he also did. Three days later, another email was sent to McMurtry, instructing him to wire $9.4 million. McMurtry again complied. The first two emails from the faux CEO contain the swindle’s setup, swearing the recipient to secrecy over a blockbuster international deal.

McMurtry has reportedly been cooperating with the FBI and providing them with the reasons he so easily complied with the rogue emails' requests. Those excuses include some of the scam emails looking like they came from the company's outside accounting firm and that Scoular had indeed been in discussions for an expansion into China. Those excuses, though, don't alter the fact that a simple phone call to the parties involved, to Elsea's office (or, hell, at the watercooler or whatever), or to the general office number for the accounting firm would have exposed the scam entirely and saved the company 17 mil-do in the process. How does something like that happen?

from the aha! dept

I'm no longer surprised that people fall for Nigerian advance fee "419" scams. It seems that every generation falls for something along those lines. In the past, I've talked about the bogus story of Drake's fortune, which was the "Nigerian scam" of nearly a century ago. But what certainly has surprised me is how little the story really seems to change. Given how closely so many people associate "Nigerian prince" with "scam," you'd think that it would make sense for scammers to move away from such things, and try to find a story that is slightly more realistic. However, On the Media points us to a fascinating research paper by Microsoft researcher Cormac Herley, and a Wall Street Journal article about the research, which reveal why it still makes sense for Nigerian scammers to say they're from Nigeria:

It weeds out all the non-suckers.

Think about it from the scammer's point of view. With advance fee scams, they need to string along someone for a while. A live sucker can be quite valuable, but also involves quite a bit of work. So, for it to be worthwhile, they actually need exceptionally gullible people and by flat out saying they're from Nigeria, given how closely associated that country is with such scams, they quickly weed out the people who are probably smart enough to realize they're getting conned. Since the cost to them of spamming everyone is close to nothing, you may be confused about why you keep getting "Nigerian prince" emails, but they don't care about you. In fact, in ignoring those emails, you're kind of doing them a favor by not bothering them with time-consuming efforts that won't pay off.

As the WSJ piece notes, this highlights a potentially better way to deal with such scammers: waste their time. Of course, we've written about such scambaiters before, with 419 Eater being the most well known community. But this research suggests that, not only are such efforts amusing, they can be genuinely effective in harming the economics of such advance-fee frauds.

from the oooooh,-1.21-jigawatts!! dept

I imagine this won't come as a huge surprise to many of you, but it appears that we're all influenced by the presence of tech specs on a product -- even if those specs are somewhat meaningless. A variety of separate studies showed that people would usually purchase the product with "more" specs, even if they were meaningless. One of the tests even had people create their own tech specs based on their usage, and they were still more influenced by the specs than the actual usage. Apparently, we need to get busy adding more "tech specs" to our products around here...